testing whonix 14 - debian.org makes apt update fail on gateway

just trying out whonix 14 and found that apt update fails on the gateway because there is no dns resolution for security.debian.org and ftp.us.debian.org which are both in /sources.d/debian.list along with onion mirrors which connect fine.

is this just a hangover from testing with dns turned on and will be changed upon release and they should be commented out?

Hi kuruu

It may be that these servers are overloaded or down at the moment. How long has this been going on for?

https://whonix.org/wiki/Update#Operating_System

There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or the user is the victim of a man-in-the-middle attack. [6] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

maybe it is a misunderstanding, but I thought that the gateway should only connect to .onion servers. i realise looking at my original post that I did not mention that this was on the gateway… key detail there

the dns for the gateway points to local addresses not assigned to anything.

user@host:~$ cat /etc/resolv.conf
nameserver 10.137.7.1
nameserver 10.137.7.254

here is the full apt update output.

user@host:~$ sudo apt update
[sudo] password for user:         
Err:1 http://ftp.us.debian.org/debian stretch InRelease
  Temporary failure resolving 'ftp.us.debian.org'
Err:2 http://deb.whonix.org stretch InRelease                                          
  Temporary failure resolving 'deb.whonix.org'
Err:3 http://security.debian.org stretch/updates InRelease                             
  Temporary failure resolving 'security.debian.org'
Ign:4 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease                       
Get:5 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease [13.2 kB]                                                                 
Hit:6 tor+http://vwakviie2ienjx6t.onion/debian stretch Release                          
Get:8 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease [94.3 kB]             
Fetched 107 kB in 1min 26s (1,240 B/s)                                                  
Reading package lists... Done                                                           
Building dependency tree       
Reading state information... Done
1 package can be upgraded. Run 'apt list --upgradable' to see it.
W: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease  Temporary failure resolving 'security.debian.org'
W: Failed to fetch http://ftp.us.debian.org/debian/dists/stretch/InRelease  Temporary failure resolving 'ftp.us.debian.org'
W: Failed to fetch http://deb.whonix.org/dists/stretch/InRelease  Temporary failure resolving 'deb.whonix.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Don’t comment out. Probably transient issue. Change your Tor circuit.
Try later. All documented here:
Operating System Software and Updates - Kicksecure

7 posts were merged into an existing topic: apt-get DNS Bypasses apt.conf Proxy Settings

yeah, appears enabled on mine. have not changed from default on gateway:

cat 30_whonix_gateway_default.conf |grep -i transparent
WORKSTATION_TRANSPARENT_TCP=1
WORKSTATION_TRANSPARENT_UDP=0
WORKSTATION_TRANSPARENT_DNS=1
GATEWAY_TRANSPARENT_TCP=0
GATEWAY_TRANSPARENT_UDP=0
GATEWAY_TRANSPARENT_DNS=0

Which hypervisor? On Qubes, 10.137.7.1 should be the IP address of the vif* interfaces on your sys-whonix proxyVM.

virtualbox

A post was split to a new topic: apt-get DNS Bypasses apt.conf Proxy Settings

@kuruu Please disregard all of my posts in this thread. They have nothing to do with your issue. Given that you’re using virtualbox, we need to start over from the beginning. Unfortunately, I don’t have access to a virtualbox setup and I’m also behind in Whonix 14 knowledge. Maybe @tempest can help?

For virtualbox users, it matters whether you use apt or apt-get. apt-get is torrified. apt will try to communicate over clearnet, which Whonix-Gateway does not allow. Whonix-Gateway can optionally torrify your clearnet traffic but as you stated earlier, you have not changed the defaults: GATEWAY_TRANSPARENT_TCP=0; GATEWAY_TRANSPARENT_DNS=0. apt should simply fail.

There are 2 things happening that I don’t understand:

  1. Your nameserver should be set to 127.0.0.1 instead of:

In practice, this probably only matters if you enable GATEWAY_TRANSPARENT_DNS since all other traffic will be directed by uwt to localhost:SocksPort.

  1. apt should fail and it does for clearnet but it succeeds for onion repos. Is that intended behavior from Whonix-Gateway? What proxy does non-Qubes-Whonix use for Acquire:tor:proxy?

By the way… Some addendum on technical details only.

Whonix-Gateway’s own traffic could be transparently torified (currently it has no system default networking, all is socksified pointing to Tor).

GATEWAY_TRANSPARENT_DNS alone is not enough to make DNS work on Whonix-Gateway. Please see whonix-firewall source code for the limited things that it does. User user, root user and others besides user clearnet would still be firewall restricted by default. You’d have to allow the root user (another whonix-firewall configuration option) to be able to connect and disable uwt for apt-get Disable Stream Isolation: Easy.

/etc/resolv.conf would have to be pointed to nameserver 127.0.0.1.

1 Like

entr0py:

  1. apt should fail and it does for clearnet but it succeeds for onion repos. Is that intended behavior from Whonix-Gateway?

No.

Expected: apt-get should work for both clearnet and onion. I doubt that
will ever be changed. However in Whonix 15 we may go for only onion
sources by default.

What proxy does non-Qubes-Whonix use for Acquire:tor:proxy?

None. uwt only.

Right. I understand that apt-get is socksified. But OP is using apt update, so my reply was regarding expected behavior with apt. Am I misunderstanding how apt works? It should fail completely but it is somehow able to retrieve the onion repos.

Is apt internally executing apt-get or vice versa?